Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register
Options

extraction of information from log files - my tests

AlbertoAlberto Enthusiast ✭✭
in High End Firewalls


prova.sh.txt
SonicWall.log.txt


'SonicWall.log' sample:


Aug 3 00:00:00 10.1.0.1   id=firewall sn=abc time="2023-08-02 22:00:00 UTC" fw=1.2.3.4 pri=6 c=1024 m=97 app=11 sess="Web" n=136826077 usr="xyz" src=10.1.1.195:54453:X0 dst=18.198.69.109:443:X1 srcMac=ec:02:73:ab:e4:7f dstMac=00:00:5e:00:01:14 proto=tcp/https sent=1956 rcvd=5096 dpi=1 dstname=loadus.exelator.com arg=/ code=15 Category="Business and Economy" note="Policy: CFS Default Policy, Info: 6148 " rule="190 (LAN->WAN)" fw_action="NA"

Aug 3 00:00:00 10.1.0.1   id=firewall sn=abc time="2023-08-02 22:00:00 UTC" fw=1.2.3.4 pri=6 c=1024 m=97 app=11 sess="Web" n=136826077 usr="xyz" src=10.1.1.195:54453:X0 dst=18.198.69.119:443:X1 srcMac=ec:02:73:ab:e4:7f dstMac=00:00:5e:00:01:14 proto=tcp/https sent=1956 rcvd=5096 dpi=1 dstname=loadus.exelator.com arg=/ code=15 Category="Business and Economy" note="Policy: CFS Default Policy, Info: 6148 " rule="190 (LAN->WAN)" fw_action="NA"

Aug 3 00:00:00 10.1.0.1   id=firewall sn=abc time="2023-08-02 22:00:00 UTC" fw=1.2.3.4 pri=6 c=1024 m=97 app=11 sess="Web" n=136826077 usr="xyz" src=10.1.1.195:54453:X0 dst=18.198.69.109:443:X1 srcMac=ec:02:73:ab:e4:7f dstMac=00:00:5e:00:01:14 proto=tcp/https sent=1956 rcvd=5096 dpi=1 dstname=loadus.exelator.com arg=/ code=15 Category="Business and Economy" note="Policy: CFS Default Policy, Info: 6148 " rule="190 (LAN->WAN)" fw_action="NA"





----------------------------------------

#prova.sh

while IFS= read -r line; do

  

  # Estraendo l'indirizzo IP di origine (campo src)

  src_ip=$(echo "$line" | grep -o 'src=[0-9.]\+' | awk -F= '{print $2}')


  # Estraendo l'utente (campo usr)

  user=$(echo "$line" | grep -o 'usr="[^"]\+"' | awk -F= '{print $2}' | tr -d '"')

# Estraendo l'indirizzo IP di destinazione (campo dst)

  dst_ip=$(echo "$line" | grep -o 'dst=[0-9.]\+' | awk -F= '{print $2}')


  # Estraendo l'indirizzo IP e il numero di porta di destinazione (campo dst)

  dst=$(echo "$line" | grep -o 'dst=[^ ]\+' | awk -F= '{print $2}')

  IFS=':' read -ra dst_parts <<< "$dst"

  dst_ip="${dst_parts[0]}"

  dst_port="${dst_parts[1]}"


  # Estraendo l'indirizzo IP e la porta di origine (campo src)

  src=$(echo "$line" | grep -o 'src=[^ ]\+' | awk -F= '{print $2}')

  IFS=':' read -ra src_parts <<< "$src"

  src_ip="${src_parts[0]}"

  src_port="${src_parts[1]}"


  # Estraendo il nome del dominio di destinazione (campo dstname)

  dstname=$(echo "$line" | grep -o 'dstname=[^ ]\+' | awk -F= '{print $2}')


  # Estraendo il valore della regola (campo rule)

  rule=$(echo "$line" | grep -o 'rule="[^"]\+"' | awk -F= '{print $2}' | tr -d '"')



echo "Nome del dominio di destinazione: $dstname"

echo "Valore della regola: $rule"

echo "Indirizzo IP di origine: $src_ip"

echo "Indirizzo IP di destinazione: $dst_ip"

echo "Porta di origine: $src_port"

echo "Numero di porta di destinazione: $dst_port"

echo "Utente: $user"


  # Aggiungi una riga vuota tra i risultati di ogni riga

  echo ""

done < 'SonicWall.log'

-----

output:

image.png


Category: High End Firewalls
Reply

Comments

Sign In or Register to comment.